APM: OAUTH2 JWT Token with groups claim

Hello and happy new year 😉

We use APM as OAuth Authorization Server to create JWT token for apps. One of our customers wants to use the MicroProfile JWT(MP-JWT) for his application, that needs some specific claims: https://github.com/eclipse/microprofile-jwt-auth/blob/master/spec/src/main/asciidoc/interoperability.asciidoc

One requirement is to encode the groups claim in JSON array:

 "groups": ["red-group", "green-group", "admin-group", "admin"]

We now try to set the claim with groups from the Active Directory. With an iRule, I filtered the AD groups (from memberOf) and set a new APM variable (session.custom.groups) with this value:

["red-group", "green-group", "admin-group", "admin"]

When I now add a claim groups with %{session.custom.groups} as value, I see that string in my JWT token:

"groups": "[\"red-group\", \"green-group\", \"admin-group\", \"admin\"]"

So the value is escaped and has is in quotation marks.

Is there any chance to send claims as JSON array?

Any help would be appreciated.

BIG-IP Access Policy Manager (APM)

Nimbostratus

Create Claime `groups` with value, set type `custom`:

[%{session.user.custom.memberOf}]

Create iRule and assingn it to the VS with your Access Policy:

# memberOf String Example: "| CN=RedGroup_Name,OU=_Groups,DC=example,DC=com | CN=GreenGroup_Name,OU=_Groups,DC=example,DC=com | ..."
when  ACCESS_POLICY_AGENT_EVENT {
    if {[ACCESS::policy agent_id] eq "memberOfCustomization"} {
        
        set result {}
        set pattern "Any Group's Filter Pattern"
        # Get All User's Groups from the Session Var (String)
        set memberOf [ACCESS::session data get "session.ldap.last.attr.memberOf"]
        # Get List of "canonicalName" Strings
        set groups [regexp -all -inline "CN=.*?(?=,)" $memberOf]
        foreach elem $groups {
            # Get Groups by Pattern
            if {[string first $pattern $elem] != -1} {
                # Replace 'CN=' to Nothing and Append Group to the 'result' List
                append result \"[regsub "CN=" $elem ""]\",
            }
        }
        ACCESS::session data set session.user.custom.memberOf $result
    }
}

Inside your Access Policy add `iRule Event` block with `memberOfCustomization` EventID before your `OAuth Authorization` block.
APM ver 16.1.0
Hope it will be helpful 🙂

Jad_Tabbara__J1
Cirrostratus
Apr 03, 2023
Solution provided by F5

OAUTH2 JWT Token with custom groups claim (f5.com)
Marvin
Cirrocumulus
Apr 08, 2020
Hi Daniel, I am looking for something similar as well that F5 should provide JWT wherin we have the claims (attributes) values. I ma new to this but I used the guided config and setup F5 as the authorization server, with Postman I can succesfully retrieve the access token and refresh token. I configured the claims in the application on the F5.

How do I actually retreive those values from F5, do I have to provide the access token to F5 as authorization header to be able to retreive this information or should it already be included shile receiving the access token? How to verify this with Postman (I am lacking oauth test APP). Could you eleborate on this and what about this RFE is this fixed now? Thanks a lot
- Daniel_W_
  Cirrus
  Apr 08, 2020
  Hi Marvin,
  
  you can retrieve the claims in the JWT access token.
  You need to add token_content_type=jwt to the request and enable JWT in OAUTH profile and Client ID
  Example:
  https://sso.test.com/f5-oauth2/v1/authorize?redirect_uri=https://localhost&response_type=code&client_id=xyz&token_content_type=jwt
  - Marvin
    Cirrocumulus
    Apr 08, 2020
    I use version 13.1.3
Rene_C__129338
Nimbostratus
Jan 22, 2019
Bump! Same question on my side, this is actually a mandatory feature.

Any possibility to do json arrays / lists in a claim?

Thanks!
- Eric_Chen
  Employee
  Feb 22, 2019
  Ah I see. Different use-case, same problem. I was seeing the same issue, but using APM for generating a Bearer token and not as the Authorization server, but the same issue occurs in both.
- Rene_C__129338
  Nimbostratus
  Feb 22, 2019
  But that wont work when F5 is acting as Authorization server, since it will generate the JWT along with the refresh token through some black-box-magic. If there is any way to modify this generated JWT with an iRule, now this would make me quite happy, but i couldnt find any way to do this.
  
  Also, just for reference, take care when using ACCESS:oauth sign, since it will generate the Token with Base64Uriencoding (without padding), which is different from the actual APM VE config, which will do base64encoding WITH padding for some obscure reason.
- Eric_Chen
  Employee
  Feb 22, 2019
  In my case I had to remove the SSO Bearer Token config from the Access Policy and replace it with an iRule.
Rene_C_
Nimbostratus
Jan 22, 2019
Bump! Same question on my side, this is actually a mandatory feature.

Any possibility to do json arrays / lists in a claim?

Thanks!
- Eric_Chen
  Employee
  Feb 22, 2019
  Ah I see. Different use-case, same problem. I was seeing the same issue, but using APM for generating a Bearer token and not as the Authorization server, but the same issue occurs in both.
- Rene_C_
  Nimbostratus
  Feb 22, 2019
  But that wont work when F5 is acting as Authorization server, since it will generate the JWT along with the refresh token through some black-box-magic. If there is any way to modify this generated JWT with an iRule, now this would make me quite happy, but i couldnt find any way to do this.
  
  Also, just for reference, take care when using ACCESS:oauth sign, since it will generate the Token with Base64Uriencoding (without padding), which is different from the actual APM VE config, which will do base64encoding WITH padding for some obscure reason.
- Eric_Chen
  Employee
  Feb 22, 2019
  In my case I had to remove the SSO Bearer Token config from the Access Policy and replace it with an iRule.